A person's behavior and Modus Operandi are not the same thing. One is not proof of the other. Although situations like this will result in a lot of finger pointing since behavior and attitude are often used to establish trust in the absense of actual evidence.

While both may have opinions on Slackware I disagree with, their contributions haven't been malicious in the slightest. Huge difference. Borderline xenophobic?

4 members found this post helpful.

Someone made a joke on Reddit about the bad actor(s) name. Very funny.
But the discussion has raised a lot of valid questions...
Including this long game by was luckily discovered, but how many may not have been. Open source vs closed source, etc
https://www.reddit.com/r/linux/comme...ibzma_already/

The funny stuff:
JIA CHEONG TAN
CIA JHEONG TAN
CIA JHON EGTAN
CIA JOHN AGENT
CIA AGENT JOHN
Case closed

3 members found this post helpful.

There is nothing xenophobic about not liking someone who has a reputation for being an asshole. Maybe it's a translation error, but even then a reasonable person would back away from a conversation once they see that their statements are causing frustration. LC in particular seems unable to grasp that concept - in addition to his weird conspiracy rants.

But to stay on topic there's nothing inherently malicious about someone being a dumbass. What is interesting is that bad behavior or COO (during a time of crisis) will often be used to approximate who is, and who is NOT trust worthy. This isn't racism or xenophobia, it's just human nature when the chain of trust is broken.

Given that this whole exploit is rooted in "who do we trust" we need to be aware that a lot of people are immediately going to start looking for other bad actors. It would behoove everyone in the FOSS/Linux world to take a deep breath and avoid jumping to conclusions. Even the most well-intentioned person can sometimes get it wrong.

My comment was meant in a tongue-in-cheek way. Sorry for the misunderstanding.

2 members found this post helpful.

I know this is off topic, but Slackware isn't difficult to install.. The issue however is as soon a an OS use some kind of automatic partitioning to install, it becomes an inherently unsafe installation method, because in general it just does "whipe the whole disk, create random partition scheme and install". This is the approach of Windows and several GNU/Linux distros. But unlike Windows it is not dangerous to insert the install medium with the Linux distros at the very least, as they don't automatically destroy everything by default.

Yes, but it's concerning (to put it mildly) that a "tongue-in-cheek" post about those two being malicious actors was even made. Both have had several credits in the changelog, and there's nothing to suspect them putting backdoors in anything. I guess we're agreeing more than we're disagreeing, here. An accusation like that shouldn't be a joke--it's a very serious thing that leads down a slippery slope I don't think the FOSS community is ready to accept. I don't think it's an accident, either, that the finger was pointed (admittedly as a "joke") to the two people most "foreign" to the average slacker. I mean, if the Linux community is at risk by difficult personalities, quirky personalities, and people who are sometimes jerks or have weird conspiracy theories, then there are a *lot* of those types in the Linux community. (Anyone remember usenet? It was a wild place in the late 90's...)

3 members found this post helpful.

There was another thread about this on the Slackware forum, with the first ~20 posts on topic that might be of interest to some: https://www.linuxquestions.org/quest...ng-4175735492/

1 members found this post helpful.

Good link. The bit that caught my eye was That's because it could have been a "Solar Winds" type exploit for the linux community. Hats off to Andres Freund.

1 members found this post helpful.

I more-or-less agree, but I also don't think going completely the opposite direction and saying that "people in the FOSS world are quirky" is an effective refutation. A contributor is malicious because their contributions are malicious. Saying that someone has multiple mentions in the changelog serves no purpose other than dismiss the claim. In this specific situation the claim was made in jest.. but if the accusation had been real then you were just throwing fuel on the fire.

If we look at this from the perspective that a Trusted contributor can turn out not to be trusted, then that concept applies to all of us. The exploit here was from someone who had a history of being a positive part of the community, until suddenly he wasn't.

What I'm saying is that we need to re-think how we deal with such accusations. A sarcastic joke on a text-based forum isn't particularly helpful for obvious reasons. But running in the complete opposite direction and defending a contributor by saying "he has multiple contributions" is literally just setting everyone up for a tribal fight. Like with anything in computers, you have an idea or intent, and then an IMPLEMENTATION of that idea. Creating a tribal fight seems like a pretty crappy way to resolve conflict IMO.

Case in point - I contributed a patch involving shared library search paths. Does that mean everything I say or do from this moment on is authentic? Seem innocent enough. Or am I just setting up pathing for a later exploit?

1 members found this post helpful.

Because you and madridsecreto insinuate that me and LuckyCyborg had malicious contributions, please punctually and specifically say here in detail what these malicious contributions of mine and his are.

It seems absurd to me that from this XZ backdoor you and madridsecreto end up accusing me of malicious contributions.

And for trivia, this JIA CHEONG TAN is not a Chinese name of a person. These are three Chinese surnames, the first two being old Cantonese or Hong Kong surnames. I think you probably find more Cheong in the North American continent than in all of mainland China or Taiwan.

I have no experience with the secret services, but it seems absurd to me that Messrs. Jia, Cheong and Tan to blatantly sign "who did it" in an undercover mission.

My personal opinion is that they are the same Chinese Americans who insinuated racism when Linus Torvalds ordered to be removed from the Linux kernel any contribution of the university that shelters them.

P.S. For those who have a hard time remembering LuckyCyborg's username, his name is Ivan. He's a Russian named Ivan. Simple, right?

6 members found this post helpful.

It's exactly the same
They gained the maintainer's trust by offering patches (among others things you can review in the changelog)
That's why, today, we have an excellent Slackware with great kde/wayland/pipewire integration
Thanks to them

It seems you're not just forgetting names

5 members found this post helpful.

What? Did you read any of what I said?

I did NOT accuse you of malicious contributions.

4 members found this post helpful.

Why bring Lennart and systemd into this?